As more and more enterprise-grade attacks cripple large organizations and CISOs having mammoth tasks of keeping such threats at bay, Surendra Singh, Country Director, Forcepoint sheds light on the security giant’s recent whitepaper on ‘The State of Cybersecurity’ and how a human point approach to security is critical for today’s CISOs.
Please shed some light on ‘The State of Cybersecurity’ whitepaper.
Our recent whitepaper, ‘The State of Cybersecurity 2017’ dives deep into people-based risks and the Cyber Continuum of Intent. It profiles different types of insiders and factors that help provide insight into the intent behind an employee’s behavior. These factors include security awareness, attention to detail, and job satisfaction among others. With such a ‘people-centric’ lens, the security industry will be prepared to face the most complex threats now and in the future.
In 2017, we also conducted a study titled – “The Human Point: An Intersection of Behaviors, Intent & Data” with 1,250 cybersecurity professionals worldwide to understand what is giving them sleepless nights and what are the issues that they are facing.
In a nutshell, two very valid points came out of the survey. The first one was on the visibility front – as long as everything was within the organization’s infrastructure, employees were within the office using managed devices. Whether laptops or mobile phones, data was always inside the infrastructure.
“There is a big need to rethink about the technology and we at Forcepoint feel that the next big thing is human point security.”
A website is more secure because of Cloud, because cloud gives visibility into how your data is being protected by the service provider. So you get the visibility and you also get the visibility of those devices which are not managed.
Coming to BYOD, personal devices are not being managed by the organizations. They don’t have visibility as to what applications are being used on BYOD devices. This lack of visibility is the number one issue for all CIOs and CISOs. This was also made pretty clear during the survey.
The second biggest issue was on internal breaches. At a recent CIO event in Bangkok, I had asked a question on ‘Wannacry’. In the aftermath of WannaCry breakout, the CIOs were aware of the vulnerability that Microsoft had published and should have been able to patch it. Some of the CIOs present then explained that the practical challenge. Each day these CIOs get many advisories to patch many machines. An everyday patching regime results in disruptions for the users, the business halts and suffers. Thus there is a practical limitation on how many machines can be patched for how many applications and they have to prioritize this based on the risk.
These survey findings are very pertinent to what we proposed in the market now. They focus on the essential focus which is on human point and on how by tracing human behavior you can make your organization more secure.
When you talk to CIOs and CISOs, how is the concept of organizational security changing for them?
The number one issue would be that there are so many breaches that their teams are extremely busy in trying to integrate the various security pieces. So a typical CIO of a medium sized organization’s number one concern is that the time his team is spending in just trying to integrate these products and not being able to work on security posters. They need answers to questions like ‘Who could attack us? Who are these threat attackers? What are their strategies and tactics? What they should do in terms of tactics and strategies to contract against these?
Number two issue that they are facing is a lack of sufficient manpower. There is not enough manpower in any organization and there are so many vacancies for cyber security professionals. So definitely we need more of automation and have less complexity. But today, with so many innovations happening in the security world, many good security products have come helping them solve this problem to an extent. Today we have reached the inflection point where too many fine products are actually affecting and harming the security of the organization.
Remote workforces, virtual offices and concepts like BYOD and MDM: How have these cultural changes transformed tasks of the security staff or organization?
The organizations have to reorganize or rather rethink about the security because some of them still have the same security which we did 10 years back and depended on securing the infrastructure. Giving flexibility to the employee to work from home or work from remote offices enhances employee satisfaction and I see a lot of movement in this direction. This is something which will grow and the entire security is based on perimeter security. Today, we do 90 % of the work without touching the corporate network. We use the public cloud for so many things and hardly the company corporate network. Traditionally, security is built to secure the corporate network but today that is no more important.
There is a big need to rethink about the security technologies and we at Forcepoint feel that the next big thing is human point security because the answer is that, where is the employee? Whatever he is doing, if you can trace the behavior and see if the employee’s behavior is changing because of circumstances or maybe because if machine has got compromised and a hacker is using his machine to become the employee.
There are solutions like CASB which is called Cloud Access Security Broker. It gives a lot of visibility to CIOs as to what is going on within their organization like – which employee is using what applications. In the initial survey, the CIOs and CSOs are very surprised because they would have thought that maybe we are using 20 sanctioned applications and there might be another 50 or 100 sanctioned applications. But for mid to large organizations, there are more than 1000 unsanctioned applications which are mindboggling. And how many of these thousands are actually security risk, there is absolutely no idea. So this Cloud Security Access solution gives purpose to take care of this visibility and gives some complaints to the CIOs to review their risk on going to public cloud.
How do Indian cybersecurity professionals understand this concept? Are they able to implement this concept?
Some of the elements of human point have been in India for last 7 or 8 years. DLP has definitely been there but insider threat protection was very recently introduced. It is a work in progress where we are doing events. We are talking to people to create awareness and are also interacting with customers. So it is just a start and I think it will take another 6 to 12 months for Indian customers to fully understand, accept, do the pilot, and then a project on this.
With attacks like WannaCry and Petya, are organizations actually realizing where they are lacking and are being targeted by cyber attackers? Does this demand a change in the organizational employee policies?
Let me start from the bottom of the equation, a change is policy is actually required and these ransomware attacks are a very good to exercise in creating awareness. Awareness is definitely important and I think the awareness among employees is extremely important. CIOs and CISOs are also realizing that every year more money is being spent on security than the previous year and yet we are less secured. There are some serious issues which we are able to pinpoint. Too many point products is definitely the number one issue.
Number two is that the security infrastructures are very complex which needs simplification and the focus is only on the essential. Today, we need to simplify security, focus on few things which can maximum potential. Until and unless an organization doesn’t simplify, it will not be able to secure itself. Till recently, they had been spending too much time on doing something which gives less value, so I believe there is a realization.
What are your plans and your targets regarding this technology in the coming year? How do you plan to cater to the Indian market?
We are addressing this need through events which we did in Bangalore, Delhi and Mumbai where a large number of customers came. At the same time, we are educating and training our channel partners also. We are directly in touch with the early adopters and then the second layer of customers is addressed through events like these. And then we have our channel partners who are engaging every customer and every prospect.
What is your advice to the Enterprise IT World community of CIOs and CISOs?
It is high time professionals realize that they have to look for the change. Once they are open to change, and are willing to look at what new things can be done, they will do much better. On the other hand, if they are not willing to change, then I think it is going to be tougher as security threats are only going to grow. The threats are very high and organizations cannot afford to risk and so it is important to change.